Contents

Background

Barnyard "decouples output overhead from the Snort network intrusion detection system and allows Snort to run at full speed."[1]

The official Snort documentation states that having another program like Barnyard perform the slow action of writing to a database while Snort logs alerts in the binary unified format will increase Snort performance.[2]

With Sguil, Barnyard is used to process unified files prior to passing the data on to the Sguil sensor agent.

Usage

The README file in sensor/barnyard_mods contains instructions for patching Barnyard, which is required for Barnyard to work properly with Sguil 0.6.0 or 0.6.1. The command line usage for the patched version is identical to that of the standard Barnyard version.